The present invention relates to the field of software applications generally, and specifically to the implementation of financial applications. The corporate accounting scandals surrounding WorldCom, Enron and Tyco in 2002, have spurred the passage of the Sarbanes-Oxley Act of 2002. The Act creates an obligation for officers of a company to warrant to their shareholders the accuracy of the company's accounting information, the controls in place to safeguard the assets of the company, and the validity of the financial statements they produce. Although these obligations have previously existed in a weaker form in the United States, the advent of the Sarbanes-Oxley Act has made these obligations much stronger. Any company that is listed on an American stock exchange has these obligations.
The Act codifies a framework for internal accounting controls specified by the committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO establishes three categories of controls: Effectiveness and Efficiency of Operations; Reliability of Financial Reporting; and Compliance with Laws and Regulation. COSO also establishes five interrelated components of effective internal control: Control Environment; Risk Assessment; Control Activities; Information and Communications; and Monitoring. In summary, the methodology prescribed by COSO includes identifying the opportunities for fraudulent reporting, determining the risks arising from these opportunities, and then providing accounting controls to mitigate these risks.
One method of identifying opportunities for fraudulent reporting is to exhaustively test and analyze all of the processes and organizations in an enterprise. However, such comprehensive testing is typically impractical if not impossible. As a practical matter, enterprises have limited amounts of time and money available to devote to audits. Previously, enterprises plan audits in an ad-hoc manner. Auditors review balance sheets, organizational charts, and other information to manually select organizations and accounting controls to be audited. This approach depends solely on the auditors' judgment to select the most critical organizations and controls for auditing. Organizations and controls with large impacts on the enterprise are often left unaudited, potentially leading to disastrous results. To compensate, enterprises must often devote additional resources to audit a large number of non-critical organizations and controls in the hopes of including critical organizations and controls.
It is therefore desirable for an audit system to enable auditors to plan effective audits. It is further desirable for the audit system to identify audit units having potentially large impacts and risks on an enterprise and to enable auditors to select audit units to include in audits based on a variety of different criteria.